diff --git a/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl b/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/files/varnish/unknown_vhost_then_forbidden_access.vcl
@@ -0,0 +1,12 @@
+# known_vhost_determine_forbidden_access.vcl
+#
+# Now that we passed along all vhosts declared, we should be able to determine
+# if the access to such query should be forbidden or not
+#
+# File managed by puppet. All modifications will be lost.
+
+sub vcl_recv {
+    if (var.get("known-vhost") != "yes") {
+        return(synth(403, "Forbidden access to unknown vhost " + req.http.host));
+    }
+}
diff --git a/site-modules/profile/manifests/varnish.pp b/site-modules/profile/manifests/varnish.pp
--- a/site-modules/profile/manifests/varnish.pp
+++ b/site-modules/profile/manifests/varnish.pp
@@ -33,6 +33,11 @@
     }
   }
 
+  $extra_packages = ["varnish-modules"];
+  package {$extra_packages:
+    ensure => installed,
+  }
+
   class {'::varnish':
     addrepo        => false,
     listen         => $listen,
@@ -48,7 +53,10 @@
 
   ::varnish::vcl {'/etc/varnish/default.vcl':
     content => template('profile/varnish/default.vcl.erb'),
-    require => Concat[$includes_vcl],
+    require => [
+      Concat[$includes_vcl],
+      Package[$extra_packages],
+    ],
   }
 
   file {$includes_dir:
@@ -80,4 +88,10 @@
     order   => '10',
     content => file('profile/varnish/synth_redirect.vcl'),
   }
+
+  ::profile::varnish::vcl_include {'unknown_vhost_then_forbidden_access':
+    order   => '99',
+    content => file('profile/varnish/unknown_vhost_then_forbidden_access.vcl'),
+  }
+
 }
diff --git a/site-modules/profile/templates/varnish/default.vcl.erb b/site-modules/profile/templates/varnish/default.vcl.erb
--- a/site-modules/profile/templates/varnish/default.vcl.erb
+++ b/site-modules/profile/templates/varnish/default.vcl.erb
@@ -5,5 +5,6 @@
 vcl 4.0;
 
 import std;
+import var;
 
 include "<%= @includes_vcl_name %>";
diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb
--- a/site-modules/profile/templates/varnish/vhost.vcl.erb
+++ b/site-modules/profile/templates/varnish/vhost.vcl.erb
@@ -11,6 +11,7 @@
 <% end -%>
         req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
     ) {
+        var.set("known-vhost", "yes");
         if (std.port(server.ip) == <%= scope['::profile::varnish::http_port'] %>) {
             set req.http.x-redir = "https://" + req.http.host + req.url;
             return(synth(850, "Moved permanently"));